Technological Sovereignty
Version: 1.0 | Effective from: 1 January 2026
1. Purpose
This directive defines the principles and requirements for ensuring the organization’s technological sovereignty — the ability to maintain control over critical technology systems and data without undesirable dependence on individual vendors or geopolitical jurisdictions.
2. Scope
This directive applies to:
- All critical information systems
- Cloud services and infrastructure
- AI/ML tools and platforms
- SaaS applications processing company data
- Vendor management and procurement
3. Key Terms
| Term | Definition |
|---|---|
| Tech Sovereignty | The organization’s ability to maintain control over technologies without undesirable dependence |
| Vendor Lock-in | A situation where switching providers is disproportionately costly or complex |
| Data Residency | The physical location where data is stored and processed |
| Exit Strategy | A documented plan for migrating away from a current vendor |
| Exit Costs | Quantified costs of switching providers |
| CLOUD Act | US law allowing US government access to data held by US companies regardless of location |
4. Governance Structure
4.1 Roles and responsibilities
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M293%2c110L293%2c114.167C293%2c118.333%2c293%2c126.667%2c293%2c134.333C293%2c142%2c293%2c149%2c293%2c152.5L293%2c156' id='L_BOARD_CISO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_BOARD_CISO_0' data-points='W3sieCI6MjkzLCJ5IjoxMTB9LHsieCI6MjkzLCJ5IjoxMzV9LHsieCI6MjkzLCJ5IjoxNjB9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M293%2c238L293%2c242.167C293%2c246.333%2c293%2c254.667%2c293%2c262.333C293%2c270%2c293%2c277%2c293%2c280.5L293%2c284' id='L_CISO_DSO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CISO_DSO_0' data-points='W3sieCI6MjkzLCJ5IjoyMzh9LHsieCI6MjkzLCJ5IjoyNjN9LHsieCI6MjkzLCJ5IjoyODh9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M182.034%2c414L174.695%2c418.167C167.356%2c422.333%2c152.678%2c430.667%2c145.339%2c438.333C138%2c446%2c138%2c453%2c138%2c456.5L138%2c460' id='L_DSO_PROC_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DSO_PROC_0' data-points='W3sieCI6MTgyLjAzNDA5MDkwOTA5MDksInkiOjQxNH0seyJ4IjoxMzgsInkiOjQzOX0seyJ4IjoxMzgsInkiOjQ2NH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M403.966%2c414L411.305%2c418.167C418.644%2c422.333%2c433.322%2c430.667%2c440.661%2c438.333C448%2c446%2c448%2c453%2c448%2c456.5L448%2c460' id='L_DSO_ITOPS_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DSO_ITOPS_0' data-points='W3sieCI6NDAzLjk2NTkwOTA5MDkwOTEsInkiOjQxNH0seyJ4Ijo0NDgsInkiOjQzOX0seyJ4Ijo0NDgsInkiOjQ2NH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_BOARD_CISO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CISO_DSO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DSO_PROC_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DSO_ITOPS_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-BOARD-0' transform='translate(293%2c 59)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eBOARD / MANAGEMENT%3cbr /%3eApproves sovereignty strategy and budget%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-CISO-2' transform='translate(293%2c 199)'%3e%3crect class='basic label-container' style='' x='-118.9375' y='-39' width='237.875' height='78'/%3e%3cg class='label' style='' transform='translate(-88.9375%2c -24)'%3e%3crect/%3e%3cforeignObject width='177.875' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCISO / CTO%3cbr /%3eSovereignty policy owner%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DSO-4' transform='translate(293%2c 351)'%3e%3crect class='basic label-container' style='' x='-130' y='-63' width='260' height='126'/%3e%3cg class='label' style='' transform='translate(-100%2c -48)'%3e%3crect/%3e%3cforeignObject width='200' height='96'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDIGITAL SOVEREIGNTY OFFICER -- DSO*%3cbr /%3eOperational sovereignty management%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-PROC-6' transform='translate(138%2c 515)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3ePROCUREMENT%3cbr /%3eVendor assessment and contractual protection%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-ITOPS-8' transform='translate(448%2c 515)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eIT OPERATIONS%3cbr /%3eImplementation and monitoring%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
*The DSO role may be shared with CISO/CTO in smaller organizations
4.2 Digital Sovereignty Officer (DSO)
Responsibilities:
| Area | Tasks |
|---|---|
| Monitoring | Tracking geopolitical risks, vendor news, regulatory changes |
| Assessment | Quarterly vendor sovereignty review, score updates |
| Strategy | Exit strategy maintenance, alternatives scouting, budget planning |
| Reporting | Board-level reporting, KPIs, risk escalation |
Qualifications:
- Knowledge of IT architecture and cloud services
- Awareness of EU regulations (NIS2, AI Act, GDPR)
- Analytical skills (vendor assessment)
- Communication skills (board reporting)
5. Data Classification for Sovereignty
5.1 Three-tier model
| Tier | Name | Description | Requirements |
|---|---|---|---|
| TIER 1 | EU-ONLY | Government data, healthcare, PII, critical trade secrets | EU sovereign cloud, self-hosted AI, EU-held keys |
| TIER 2 | EU-PRIMARY | Internal processes, analytics, business data | EU primary, US fallback, exit strategy ready |
| TIER 3 | GLOBAL | Marketing, public data, non-sensitive | Best-of-breed without restrictions |
5.2 Decision matrix
| Business Criticality / Data Sensitivity | Low | Medium | High |
|---|---|---|---|
| Low | TIER 3 — Global | TIER 2 — EU-Primary | TIER 1 — EU-Only |
| Medium | TIER 3 — Global | TIER 2 — EU-Primary | TIER 1 — EU-Only |
| High | TIER 2 — EU-Primary | TIER 1 — EU-Only | TIER 1 — EU-Only |
6. Vendor Sovereignty Assessment
6.1 Assessment areas
Every critical vendor must be evaluated across 4 areas:
Area 1: Data Residency (0-25 points)
| Criterion | Scoring |
|---|---|
| Physical data location | Domestic=5 / EU=4 / US=2 / Mix=3 / Unknown=0 |
| Subject to CLOUD Act? | No=5 / Yes=1 |
| Real GDPR compliance? | Real=5 / Paper-only=2 / Unknown=0 |
| Encryption with our keys? | Yes=5 / No=0 |
| Access audit trail? | Yes=5 / Partial=3 / No=0 |
Area 2: Vendor Lock-in & Data Act Compliance (0-25 points)
| Criterion | Scoring |
|---|---|
| Data formats | Standard=5 / Hybrid=3 / Proprietary=1 |
| Exit costs quantified? | Yes=5 / Estimate=3 / No=0 |
| Availability of alternatives | Many=5 / Some=3 / None=1 |
| API dependency | Low=5 / Medium=3 / High=1 |
| Data Act compliance | Full=5 / Partial=3 / No=0 |
Data Act compliance criteria:
- Switching rights in the contract
- Max 2 months notice period
- Self-service data export
- Switching fees = 0 (or plan to comply by 2027)
Area 3: Geopolitical Exposure (0-25 points)
| Criterion | Scoring |
|---|---|
| Share of US vendors in critical infrastructure | <30%=5 / 30-60%=3 / >60%=1 |
| Dependence on US government contracts | Low=5 / Medium=3 / High=1 |
| Political involvement of leadership | Low=5 / Medium=3 / High=1 |
| Sanctions risk | Low=5 / Medium=3 / High=1 |
| Stability history | Stable=5 / Changing=3 / Turbulent=1 |
Area 4: Continuity & Resilience (0-25 points)
| Criterion | Scoring |
|---|---|
| Single point of failure identified? | Yes+resolved=5 / Yes=3 / No=0 |
| Alternative vendor ready? | Ready=5 / Identified=3 / No=0 |
| DR without vendor tested? | Yes=5 / Partial=3 / No=0 |
| Internal competence? | Yes=5 / Partial=3 / No=0 |
| Time-to-switch estimated? | Yes=5 / Roughly=3 / No=0 |
6.2 Score interpretation
| Total score | Level | Action |
|---|---|---|
| 80-100% | High sovereignty | Maintain, quarterly review |
| 50-79% | Medium risk | Identify priorities, 90-day plan |
| 0-49% | High risk | Urgent action plan, board escalation |
7. Exit Strategy Requirements
7.1 Required components
Every critical vendor must have a documented exit strategy containing:
| Component | Description |
|---|---|
| Alternative vendor | Identified and preliminarily evaluated |
| Data export | Export procedure and format documented |
| Time estimate | Realistic time-to-switch |
| Cost estimate | Quantified exit costs |
| Responsibilities | Who does what during migration |
| Trigger criteria | When to activate the exit strategy |
7.2 Data Act Exit Strategy Extension
For cloud/SaaS vendors, add Data Act assessment:
| Component | Data Act verification |
|---|---|
| Switching rights | Are they in the contract? Do they comply with Art. 25? |
| Notice period | Max 2 months per Data Act |
| Switching costs | Documented? In compliance with Art. 25? (0 from 2027) |
| Data export | Self-service? Machine-readable format? |
| Technical assistance | Does the vendor provide migration support? |
| Escalation path | Regulator as backup in case of violation |
7.3 Testing
| Activity | Frequency |
|---|---|
| Exit strategy review | Quarterly |
| Data export test | Semi-annually |
| Data Act compliance check | Annually |
| Failover drill (if possible) | Annually |
8. Procurement Requirements
8.1 Vendor onboarding
Before onboarding a critical vendor:
- Sovereignty Assessment completed
- Data residency verified
- Exit costs estimated
- Alternative identified
- Contractual protection secured
- Data Act compliance verified (for cloud/SaaS)
8.2 Contractual clauses
Include in contracts with critical vendors:
| Clause | Purpose |
|---|---|
| Data residency | Guaranteed data location (EU/domestic) |
| Data portability | Right to export data in a standard format |
| Audit rights | Right to security audit |
| Subprocessor notification | Notification of subprocessor changes |
| Exit assistance | Support during migration |
| Price caps | Limits on price increases |
8.3 Data Act Contractual Clauses (for cloud/SaaS)
For cloud service providers, additionally include:
| Clause | Basis | Purpose |
|---|---|---|
| Switching rights | Data Act Art. 25 | Right to switch at any time |
| Max notice period | Data Act Art. 25 | Max 2 months |
| No switching fees | Data Act Art. 25 | Fee prohibition (fully from 2027) |
| Data export SLA | Data Act Art. 24 | Guaranteed export within X days |
| Machine-readable format | Data Act Art. 24 | JSON/CSV/standard format |
| Migration support | Data Act Art. 24 | Technical assistance during switching |
Template clause:
"The Provider confirms full compliance with Regulation (EU) 2023/2854(Data Act), in particular Chapter VI regarding switching betweendata processing service providers. The Customer has the right to:
a) Request switching at any time during the contract termb) Receive all their data in machine-readable formatc) Expect the switching process to commence within 2 months of requestd) Pay no switching fees (from 12 January 2027)e) Receive technical assistance during migration
Violation of these provisions constitutes grounds for immediatecontract termination and damages."9. EU Alternatives
9.1 Reference catalogue
| US Stack | EU Alternative | Note |
|---|---|---|
| Azure/AWS/GCP | OVHcloud, Hetzner, T-Systems | Multi-cloud EU primary |
| OpenAI GPT | Mistral AI (FR), Aleph Alpha (DE) | Self-hosted Llama/Mixtral |
| GitHub Copilot | Codeium, Tabnine (self-hosted) | Local LLM for sensitive code |
| Salesforce | SAP, Pipedrive (EU) | Headless CRM + custom FE |
| Snowflake | ClickHouse, DuckDB | On-prem + EU cloud |
| Microsoft 365 | Nextcloud, OnlyOffice | Self-hosted / EU cloud |
9.2 Evaluating alternatives
Before adopting an alternative, verify:
- Functional parity (or acceptable differences)
- EU ownership/jurisdiction
- Long-term viability (funding, roadmap)
- Integration with existing infrastructure
- TCO comparison
10. Monitoring and Reporting
10.1 KPIs
| Metric | Target | Measurement frequency |
|---|---|---|
| Sovereignty Assessment score | >70% | Quarterly |
| Exit strategy coverage | 100% of critical vendors | Monthly |
| Exit costs documented | 100% of critical vendors | Quarterly |
| EU data residency % | Per tier classification | Monthly |
10.2 Reporting
| Report | Audience | Frequency |
|---|---|---|
| Sovereignty Dashboard | CISO/CTO | Monthly |
| Vendor Risk Summary | Management | Quarterly |
| Board Sovereignty Report | Board | Semi-annually |
11. Regulatory Alignment
11.1 NIS2
This directive supports compliance with NIS2 Article 21 (Supply chain security):
| NIS2 requirement | Coverage |
|---|---|
| Vendor risk assessment | Sovereignty Assessment |
| Third-party access control | Data residency requirements |
| Supply chain resilience | Exit strategy, alternatives |
11.2 AI Act
| AI Act requirement | Coverage |
|---|---|
| AI systems transparency | Vendor assessment AI/ML section |
| Data governance | Data classification tiers |
| High-risk oversight | EU-only tier for high-risk AI |
11.3 GDPR
| GDPR requirement | Coverage |
|---|---|
| Data transfer safeguards | Data residency assessment |
| Processor requirements | Vendor sovereignty score |
| DPA requirements | Contractual clauses |
11.4 Data Act (EU 2023/2854)
Changes in the Tech Sovereignty directive (v1.1)
| Section | New content |
|---|---|
| 11.4 | Data Act as a legal instrument for sovereignty |
| 12 | New section — detailed Data Act utilization |
| 12.2 | Cloud Switching Rights |
| 12.3 | Use in vendor negotiations |
| 12.4 | Exit Strategy Data Act extension |
| 12.5 | Enforcement |
| 7.2 | Exit Strategy Data Act assessment |
| 8.3 | Procurement Data Act contractual clauses + template |
| 6.2 | Vendor Assessment — Data Act compliance criterion |
The Data Act is a key legal instrument for achieving Tech Sovereignty objectives.
| Data Act provision | Sovereignty application |
|---|---|
| Cloud Switching Rights (Ch. VI) | Legally enforceable right to change cloud providers |
| Switching Fee Prohibition (from 2027) | Elimination of financial barriers to exit |
| Data Portability | Right to export data in a standard format |
| Max Notice Period (2 months) | Guaranteed fast switching |
| Unfair Terms Protection | Protection against lock-in clauses |
Practical alignment:
| Tech Sovereignty objective | Data Act legal instrument |
|---|---|
| Reducing vendor lock-in | Cloud switching rights (Art. 23-25) |
| Actionable exit strategy | Data portability (Art. 24) |
| Low switching costs | Fee prohibition from 12 January 2027 (Art. 25) |
| Fair contractual terms | Unfair terms protection (Art. 13) |
| Multi-vendor strategy | Interoperability standards (Art. 26-31) |
-> Detailed documentation: Data Act
12. Data Act as a Legal Instrument
12.1 Overview
The Data Act (effective from 12 September 2025) provides legally enforceable instruments for implementing a sovereignty strategy. Organizations should actively exercise these rights when negotiating with vendors.
12.2 Cloud Switching Rights
What the Data Act guarantees:
| Right | Description | Deadline |
|---|---|---|
| Switching at any time | Right to request switching regardless of contract | Effective from 12 September 2025 |
| Max 2 months notice | Provider must commence switching within 2 months | Effective from 12 September 2025 |
| Technical assistance | Provider must provide migration support | Effective from 12 September 2025 |
| Data export | Complete export in machine-readable format | Effective from 12 September 2025 |
| Switching fee prohibition | No fees for switching | From 12 January 2027 |
12.3 Use in negotiations
When onboarding a new vendor:
CHECKLIST: VENDOR DATA ACT COMPLIANCE
- Does the vendor have a Data Act compliant contract?
- Are switching rights explicitly stated?
- Is the notice period max 2 months?
- Is self-service data export available?
- Are switching costs transparently documented?
- Is the switching fee = 0 (or planned to comply by 2027)?
- Does migration documentation exist?
- Are data formats standard/interoperable?
When negotiating with an existing vendor:
| Situation | Data Act argument |
|---|---|
| Vendor refuses data export | ”Data Act Art. 24 guarantees our right to export” |
| High exit fees | ”Data Act Art. 25 prohibits switching fees from 2027” |
| Long notice periods | ”Data Act Art. 25 limits notice to 2 months” |
| Lock-in clauses | ”Data Act Art. 13 renders unfair terms void” |
| Proprietary formats | ”Data Act Art. 24 requires machine-readable format” |
12.4 Exit Strategy Data Act Extension
Every exit strategy should include a Data Act assessment:
| Component | Traditional | + Data Act extension |
|---|---|---|
| Exit costs | Cost estimate | + Verification vs. Data Act limits |
| Timeline | Time-to-switch | + Max 2 months notice |
| Data export | Procedure | + Data Act compliant formats |
| Trigger | When to activate | + Data Act violation as trigger |
| Escalation | Internal | + Regulator as escalation path |
12.5 Enforcement
If a vendor violates the Data Act:
- Document the violation — capture evidence
- Formal complaint — written notice to the vendor referencing the Data Act
- National authority — escalate to the regulator (to be designated in each Member State)
- Legal action — contractual invalidity of unfair terms
13. Implementation
13.1 Timeline
| Phase | Activity | Deadline |
|---|---|---|
| 1 | Critical vendor inventory | +30 days |
| 2 | Sovereignty Assessment top 10 | +60 days |
| 3 | Exit strategy documentation | +90 days |
| 4 | Contractual clauses review | +120 days |
| 5 | Data Act compliance check | +150 days |
| 6 | Full implementation | +180 days |
13.2 Quick wins
- Map data residency for all critical systems
- Identify top 3 lock-in risks
- Document exit strategy for the #1 critical vendor
- Set up quarterly vendor review
- New: Verify Data Act compliance with top 3 cloud vendors
14. Policy Review
- Quarterly: Sovereignty score update
- Semi-annually: Policy effectiveness review
- Annually: Full policy review + CISO approval
Next review: Q2 2026
Version: 1.1 | Date: December 2025 Owner: CISO / CTO Licence: CC BY-NC-SA 4.0
Changelog:
- v1.1 (31 December 2025): Integration of the Data Act as a legal instrument (sections 11.4, 12), extension of Exit Strategy and Procurement with Data Act clauses